VMware ACE 1.0 Release Notes

VMware ACE allows security administrators to protect critical company resources against the risks that unmanaged computers present. This document also contains new features, limitations, caveats, security fixes, and general release information.

What's New in ACE 1.0.1

For enhanced security, the administrator can set a BIOS password to prevent unauthorized changes to the BIOS settings of a virtual machine.

Support for Drag and Drop Function

You can use drag and drop to copy files between a virtual machine running in a VMware ACE environment and the host computer. The administrator who is configuring the virtual machine can enable or disable this feature.
In VMware ACE Manager, choose VM > Settings > Options
> Guest Isolation. The setting applies to the individual virtual machine.

Enhanced Full Screen Display

Running a VMware ACE environment in full screen mode does not change the resolution of the host display. The VMware ACE environment automatically adjusts according to the changes in host's display resolution while VMware ACE is running. If the display resolution of the VMware ACE environment is higher than that of the host, scroll bars allow the user to move in the VMware ACE display. VMware ACE is aware of multiple monitors, if they are configured on the host. These enhancements improve the end-user experience.

Support for Guest Operating Systems

This release adds support for the following guest operating systems:

Windows Server 2003 Service Pack 1

Novell Linux Desktop 9

Red Hat Enterprise Linux 4

Red Hat Enterprise Linux 3 Update 4

Red Hat Enterprise Linux 3 Update 3

Red Hat Enterprise Linux 2.1 Update 6

SUSE LINUX Enterprise Server 9 Service Pack 1

SUSE LINUX 9.2

What's New in VMware ACE 1.0

VMware ACE 1.0 provides the following features:

Manageability

Design once, deploy anywhere — Create standardized hardware-independent PC environments and deploy them to any PC throughout the extended enterprise.

Customizable interface — Customize the behavior and look and feel for end users.

Flexible computing environment — End users can revert to a previous state within seconds and can work online or when disconnected from the enterprise network.

Before You Begin

Installing on a Computer with a Different VMware Product

VMware ACE Manager cannot be installed on a computer where VMware Workstation or VMware Server is installed. If you have one of these products installed on the computer where you want to install VMware ACE Manager, use the Add/Remove Programs in the control panel to remove the existing product, and then install VMware ACE Manager.

You can install VMware ACE Manager on a computer that has VMware Remote Console or VMware VirtualCenter installed.

Follow the same guidelines for the VMware ACE application installed on end user computers.

Creating and Adding Virtual Machines

You can create new virtual machines in a VMware ACE project.
VMware ACE also allows you to use an existing virtual
machine, created under VMware Workstation 4.x or VMware Server 3.x,
in a project.

Install the Latest Version of VMware Tools

If you use virtual machines — either virtual machine created
in a different VMware product or virtual machine created in an earlier
release of VMware ACE — ensure that you install the version of VMware Tools
included in the latest release (in virtual machine, select Install VMware Tools).
The New Package Wizard stops you from creating a package if the
virtual machines do not have the current version of VMware Tools.

Known Issues

The following are known issues with VMware ACE
1.0.x

When you attempt to install VMware ACE 1.0.x on a host that already has a higher 1.0.x or 2.0.x version of ACE installed, the installation incorrectly indicates that a previous version of ACE is installed. If you proceed with installing, the higher version of VMware ACE is uninstalled and replaced with the lower version. Workaround:
Manually uninstall the latest version before proceeding with the installation of the older version.

In the Japanese version of VMware ACE, text is corrupted in the installer during upgrades from VMware ACE versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, or 1.0.4 to VMware ACE version 2.0.x.

VMware ACE 1.0.8

VMware products emulate hardware functions and create the possibility to run guest operating systems.
A flaw in the CPU hardware emulation might allow the virtual CPU to incorrectly handle the trap flag. Exploitation of this flaw might lead to a privilege escalation on guest operating systems.
An attacker needs a user account on the guest operating system and have the ability to run applications.
The Common Vulnerabilities and Exposures has assigned the name CVE-2008-4915 to this issue.

VMware ACE 1.0.7

ACE 1.0.7 addresses the following security issues:

Setting ActiveX killbit

Starting from this release, VMware has set the killbit on its ActiveX controls. Setting the killbit ensures that the ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the KB 240797 from Microsoft and the related references on this topic.
Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of-service or allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in IE might result in pop-up windows warning the user. Note:
IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested.
Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls.
To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions.
The Common Vulnerabilities and Exposures project has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, and CVE-2008-3696 to the security issues with VMware ActiveX controls.

Security Fix for Local Privilege Escalation on Host System

This release fixes a privilege escalation vulnerability in the host operating system. Exploitation of this vulnerability allows users to run arbitrary code on the host system with elevated privileges.
The Common Vulnerabilities and Exposures project has assigned the name CVE-2008-3698 to this issue.

Update to FreeType

FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to its latest version 2.3.7.
The Common Vulnerabilities and Exposures has assigned the names CVE-2008-1806,
CVE-2008-1807, and CVE-2008-1808 to the issues resolved in FreeType 2.3.6.

VMware ACE 1.0.5

ACE 1.0.5 addresses the following security issues:

An internal security audit determined that a malicious user might attain the LocalSystem privileges. The user might make the authd process connect to a named pipe that is opened and controlled by the malicious user. In this situation, the malicious user might successfully impersonate authd and attain privileges under which authd is running.
(Foundstone CODE-BUG-H-001)

A security vulnerability in OpenSSL 0.9.7j might make it possible to forge an RSA key signature. VMware ACE 1.0.5 upgrades OpenSSL to version 0.9.7l to prevent this vulnerability.
RSA Signature Forgery — CVE-2006-4339)

This release updates the libpng library version to 1.2.22 to prevent various security vulnerabilities.

A vulnerability in VMware ACE running on Windows allowed complete access to the host's file system from a guest machine. This access included the ability to create and modify executable files in sensitive locations.
(CORE-2007-0930)

The authd process read and honored the vmx.fullpath variable in the user-writable file config.ini, creating a security vulnerability.

A non administrator might be bale to modify the config.ini file to change the VMX launch path. This created a vulnerability that can be exploited to escalate user privileges.

VMware ACE 1.0.4

ACE 1.0.4 addresses the following security issues:

This release fixes several security vulnerabilities in the VMware DHCP server, which might enable a malicious Web page to gain system-level privileges.
The Common Vulnerabilities and Exposures assigned the following names to these issues: CVE-2007-0061, CVE-2007-0062, and CVE-2007-0063.
Thanks to Neel Mehta and Ryan Smith of the IBM Internet Security Systems X-Force for discovering and researching these vulnerabilities.

This release fixes a security vulnerability that might allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and potentially allow running of arbitrary code on the host. The Common Vulnerabilities and Exposures project assigned the following name to this issue: CVE-2007-4496.
Thanks to Rafal Wojtczvk of McAfee for identifying and reporting this issue.

This release fixes a security vulnerability that might allow a guest operating system user without administrator privileges to cause a host process to stop responding or exit unexpectedly, making the guest operating system unusable. The Common Vulnerabilities and Exposures project assigned the following name to this issue: CVE-2007-4497.
Thanks to Rafal Wojtczvk of McAfee for identifying and reporting this issue.

This release fixes an issue that prevented VMware Player from launching. This issue was accompanied by the error message VMware Player unrecoverable error: (player) Exception 0xc0000005 (access violation) has occurred. This issue might result in a security vulnerability from some images stored in virtual machines downloaded by the user.

This release fixes a security vulnerability that might allow a malicious remote user to exploit the library file IntraProcessLogging.dll to overwrite files in a system.
The Common Vulnerabilities and Exposures assigned the following name to this issue: CVE-2007-4059.
Thanks to the Goodfellas Security Research Team for discovering and researching these vulnerabilities.

This release fixes a security vulnerability that might allow a malicious remote user to exploit the library file vielib.dll to overwrite files in a system.
The Common Vulnerabilities and Exposures assigned the following names to this issue: CVE-2007-4155.
Thanks to the Goodfellas Security Research Team for discovering and researching these vulnerabilities.

This release fixes an issue that might result in a security vulnerability from some images stored in virtual machines downloaded by the user.

This release fixes a security vulnerability in which VMware ACE was starting registered Windows services such as the Authorization service with bare (unquoted) paths, such as c:\program files\vmware\.... Applications and services in Windows must be started with a quoted path. This vulnerability might allow a malicious user to escalate user privileges.
Thanks to Foundstone for discovering this vulnerability.

VMware ACE 1.0.3

ACE 1.0.3 addresses the following security issues:

Virtual machines can be put in various states of suspension, as specified by the ACPI power management standard. When returning from a sleep state (S2) to the run state (S0), the virtual machine process (VMX) collects information about the last recorded running state for the virtual machine. Under some circumstances, VMX read state information from an incorrect memory location. This issue might be used to cause a successful denial-of-service attack where the virtual machine must be rebooted.
The Common Vulnerabilities and Exposures assigned the name CVE- 2007-1337 to this issue.
Thanks to Tavis Ormandy of Google for identifying this issue.

Some VMware products support storing configuration information in VMware system files. Under some circumstances, a malicious user might instruct the virtual machine process (VMX) to store malformed data, causing an error. This error might enable a successful denial-of-service attack on guest operating systems.
The Common Vulnerabilities and Exposures assigned the name CVE-2007-1877 to this issue.
Thanks to Sungard Ixsecurity for identifying this issue.

Some VMware products managed memory in a way that failed to gracefully handle some general protection faults (GPF) in Windows guest operating systems. A malicious user might use this vulnerability to stop Windows virtual machines. While this vulnerability might allow an attacker to stop a virtual machine, it is possible to escalate privileges or escape virtual containment.
The Common Vulnerabilities and Exposures assigned the name CVE-2007-1069 to this issue.
Thanks to Ruben Santamarta of Reversemode for identifying this issue.

In a 64-bit Windows guest on a 64-bit host, debugging local programs might create system instability. Using a debugger to step into a syscall instruction might corrupt the virtual machine's register context. This corruption produces unpredictable results, including corrupted stack pointers, kernel bugchecks, or VMX process failures.
The Common Vulnerabilities and Exposures assigned the name CVE-2007-1876 to this issue.
Thanks to Ken Johnson for identifying this issue.

Shared Folders is a feature that enables users of guest operating systems to access a specified set of folders in the host's file system. A vulnerability exists that might allow an attacker to write arbitrary content from a guest system to arbitrary locations on the host system. In order to exploit this vulnerability, the VMware system must have at least one folder shared. Although the Shared Folder feature is enabled by default, no folders are shared by default, which means this vulnerability is not exploitable by default.
The Common Vulnerabilities and Exposures assigned the name CVE-2007-1744 to this issue.
Thanks to Greg MacManus of iDefense Labs for identifying this issue.

A malicious user might make plaintext additions to the encrypted preferences file by overwriting the file while VMware Player is running.

In addition, VMware ACE 1.0.3 fixes the following issues:

In the previous ACE release, if you added a USB controller to a Windows virtual machine on
a Windows host and booted the virtual machine, the USB controller failed to initialize, with
the message "A supported host USB driver not found".

An issue with powering on virtual machines resulted from corruption of the
preferences file.

An issue with VMware Tools caused the guest to run out of memory.

The virtual machine fails to power on with error message Access to this virtual machine blocked. An error was encountered while checking if this VM was encrypted properly.

VMware ACE 1.0.2

ACE 1.0.2 addresses the security vulnerability in NAT Networking
This release addresses a security vulnerability that has been discovered in VMware ACE. Since this issue is serious, VMware recommends that you install the VMware ACE 1.0.2 update or disable NAT networking. For more information, see the following Knowledge Base articles: